The challenges of today’s business needs have led every quality assurance (QA) tester to think about how they can leverage the cloud as an infrastructure, platform or even a software. Online collaboration solutions, web 2.0 applications, databases, storage and QA/DEV environments are typical cloud use cases that have gained much importance over the years. With the growing importance of these use cases, it has also become important to understand the issues and threats QA testers face, especially in testing environments using cloud data storages.
Let us delve deep into this and understand how data is stored in the cloud; their lifecycle; how they are secured; and the issue of security regarding cloud storage.
Cloud Computing and Cloud Data Storage
We know that cloud computing is a set of ‘remote processing’ performed by a distant server, available anytime and anywhere. It is typically made up of three categories:
- platform-as-a-service (PaaS), which offers a platform for customers to develop, manage and run applications without the complexity of building and maintaining infrastructure;
- infrastructure-as-a-service (IaaS), providing virtualised computing resources over the internet such as location, data partitioning, security, backup and scaling; and
- software-as-a-service (SaaS) that provides applications and software on demand.
There is no doubt that a cloud environment provides diverse types of storage solutions, each having their own limitations and advantages and based on the requirement and availability of data.
Threats and Issues in Data Cloud Storage
It can be argued that data storage is the most important component of cloud computing, and that is why the security of data over distributed computing is always a big issue. There are a lot of security issues regarding cloud storage; some of the most prevalent and serious ones are listed below:
Anonymity: In cloud data storages, anonymity is a technique to obscure the published data and key information preventing the associated identity of the owner of data. However, data anonymity has different vulnerabilities like the hidden identity of adversary threats, loopholes in the procedure of re-identification or de-anonymity.
Account or Service Traffic Hijacking: It is usually performed with stolen credentials and remains a top threat. With stolen credentials, attackers can often access critical areas of deployed cloud computing services, allowing them to compromise the confidentiality, integrity and availability of those services. Various malpractices like exploitation of vulnerabilities in software, such as theft of passwords/credentials and buffer overflow attacks as well as phishing attacks can lead to the loss of control over user accounts. This can result in the hacker gaining control over the user account and eavesdropping on transactions, manipulation of data and/or redirecting customers to a competitor’s web page or inappropriate sites.
Availability: The main goal of cloud service is also to provide high availability to the client. Its focus is to ensure that a user can get information anywhere anytime. Availability not only refers to the software, but it also provides hardware as demand from authorized users. In a multi-tier architecture, which is supported by load balancing and running on many servers, network-based attacks such as DoS or DDoS attack can come easily. The cloud storage lacks in availability attribute because of flooding attack in the network. A malicious insider in the storage system may also be a big issue for it.
Data Loss and Leakage: Data breaches are the result of an intrusive action and data loss may occur when disk drive dies without creating any backup. It is the loss of privacy, trust and has a direct effect on the SLA policy, which are the main concerns of cloud users.
Cryptography: Often cryptographic mechanisms seem to fail when a security measure is applied. In a cloud, cryptographic techniques are applied to overcome the loopholes in security areas. However, challenges such as prime factorisation of large numbers in RSA and discrete logarithmic problems in ECC and faulty implementation may cause a brute force attack. Poor key management, computation efficiency, verifiable data are also other issues related to cloud cryptography.
Integrity and Confidentiality Issues: Integrity is the most critical element in the information system in order to protect the data from unauthorised modification, deletion or alteration. The security issue arises when incorrectly defined security parameters or incorrectly configured VMs and hypervisor are used with malicious intent. The multi-tenant nature of cloud may result in the violation of integrity and confidentiality, so increasing the number of users enhancing the security risk. Some well-known integrity attacks include the man in the middle (MIM) attack, session hijacking, data diddling attack, password, packet sniffing and social engineering attacks and may affect the confidentiality of information seriously.
Malware and Worms: This involves an e-crime attack to inject malware into cloud storage called ‘Botnets’, turning them into ‘zombies’ aiming at attacking a larger network servers’ computer.
Inference: Inference is a database system technique used to attack databases where malicious users infer sensitive information from complex databases at a high level. It simply means finding information hidden from normal users by using data mining techniques.
What can be Done?
QA practitioners and organisations that are keen to use cloud computing to run their in-house applications must modify their software development approach and should be concerned about the key points that help to design programming standards as well as adopt multi-tenancy and security capabilities. A three-tier (application level, cloud-service middle level, and infrastructure level) structure can be followed:
Application Level: The security concerns for this level is end-to-end and cloud systems need to have a common security to achieve end-to-end visibility and control over data, identities and application in the cloud system. However, on an application level, enterprises data, along with other organisation data, is stored at the SaaS provider data centre. In addition, cloud providers might be replicating the data across multiple locations in the world to maintain high availability. This is why it is no wonder that cloud vendors such as Google App, Amazon and Elastic Compute Cloud (EC2) require administrators to use their individual cryptographic algorithm with strong Secure Shell (SSH) to access the hosts. A malicious program can easily exploit the vulnerabilities in the data security model for unauthorised access.
Service Middleware Level: Middleware can be described as glue software that makes it easier for the software developer to perform communication in a cloud environment. Nowadays, as the importance of middleware increases, the security challenges also increases. Some of the issues include protocol standard security, user authentication and conceptualisation, middleware trust, service credibility and regulations, cryptographic solution, spam snooping and sniffing.
Infrastructure Level: Cloud infrastructure can manage the computer capabilities such as performance, bandwidth and storage access. A secure and efficient cloud authentication process and user abstraction should be provided in the infrastructure level. All virtual machines working together should be mutually authenticated and good machine availability management should also be available. The security risks to the cloud systems while facilitating Virtual Private Network (VPN) are on-demand resource availability and machine-to-machine performance monitoring.
Cloud computing offers many advantages, on-demand, scalable, resources and IT-based solutions without the need to invest in new infrastructure. Despite these features, the security of storage is a critical point that confronts this technology. Every QA tester should keep these issues and threats in mind while using assistance through cloud computing.